[00:06.570 --> 00:11.730]  Hi everybody, I'm Anthony. I go by Koin and I'm one of the developers of Starkiller and Empire.
[00:11.850 --> 00:20.050]  I'm also here with Jake and Vince. Hey, I'm Jake. I go by Hubble. I'm also one of the developers for
[00:20.050 --> 00:25.450]  Starkiller and Empire. And I'm Vince. I created Starkiller and I'm the lead developer.
[00:26.510 --> 00:30.670]  So we're going to be talking about Starkiller today, which is our threat emulation platform
[00:30.670 --> 00:35.510]  that we use for red teaming. What this allows us to do is to have an intuitive interface
[00:35.510 --> 00:40.490]  that multiple users can log in from and interact with the team server, as well as it has some
[00:40.490 --> 00:44.870]  hooks built into it to the MITRE ATT&CK framework that gives links to techniques
[00:44.870 --> 00:50.590]  inside of all our modules. And what this setup allows us to do is to have our teams most accurately
[00:50.590 --> 00:57.110]  emulate the threats for our assessments. Since we're trying to emulate that threat,
[00:57.110 --> 01:01.270]  what we're really focusing on is trying to make sure that we're replicating their TTPs,
[01:01.270 --> 01:06.690]  those tactics, techniques, and procedures. Since this is what the threat is going to use to obtain
[01:06.690 --> 01:11.130]  their objectives, we're going to make sure that everything we do in our tests focus around what
[01:11.130 --> 01:16.410]  the threat's going to be and be representative. That includes our infrastructure. We want to make
[01:16.410 --> 01:22.870]  sure that our infrastructure mirrors exactly what an APT setup is going to look like. For example,
[01:22.870 --> 01:28.650]  our stagers and payloads, as well as our implants will mirror the threats. Our setup will typically
[01:28.650 --> 01:34.010]  include multiple operators across different locations, all connected to the team server.
[01:34.710 --> 01:39.170]  They may be spread out as well to make sure that everything is segregated. So that way,
[01:39.170 --> 01:44.150]  if one server goes down, we're not going to lose our entire operation and burn it. We want to make
[01:44.150 --> 01:48.950]  sure that our infrastructure mirrors what the threat's going to do and are going to be able
[01:48.950 --> 02:00.960]  to emulate what they're going to be running for their attacks. So what you kind of saw in the
[02:00.960 --> 02:09.640]  that connects to our team server. So Starkiller provides a UI on top of the C2 server,
[02:09.640 --> 02:16.940]  in this case, Empire. And it allows us to interact as a team. So we have multi-user support.
[02:16.940 --> 02:24.520]  We have a live reporting interface. So anytime a team member runs a module or a command,
[02:24.520 --> 02:29.980]  we're able to instantly see those commands through the interface. And it simplifies a lot
[02:29.980 --> 02:33.200]  of the workflows that are a little bit more tedious through the CLI.
[02:35.820 --> 02:44.060]  So as we mentioned, Starkiller is a GUI interface that interacts with the Empire C2 server. Empire
[02:44.060 --> 02:49.360]  is built on PowerShell and Python, for those of you that aren't aware. With the addition of
[02:49.360 --> 02:55.340]  Starkiller, it can now be ran as either a team server or an all-in-one C2, which means just a
[02:55.340 --> 02:59.860]  person's running the C2 on the command line directly, like there's no other infrastructure
[02:59.860 --> 03:07.200]  required to run that C2. It has a bunch of adaptive modules. We're up to about 300 now.
[03:07.420 --> 03:13.800]  And then the original project ended support back in August of 2019, but we forked it and have been
[03:13.800 --> 03:18.840]  maintaining and updating it ever since, which is why we built Starkiller on top of it. And we
[03:18.840 --> 03:25.240]  really built Starkiller to address some of the shortfalls that Vincent mentioned, to allow for
[03:25.240 --> 03:31.400]  threat emulation and just like a modern red team engagement when using Empire as your primary C2.
[03:34.000 --> 03:39.880]  So ever since we forked Empire when it was originally, when support was originally ended,
[03:39.880 --> 03:44.840]  we get asked a lot why we still think PowerShell is important, because there's a whole bunch of
[03:44.840 --> 03:50.300]  mitigations in place, you know, like script block logging and AMSI and all those kinds of things
[03:50.300 --> 03:56.340]  that do make PowerShell much more difficult when it is implemented properly. But even though
[03:56.340 --> 04:01.960]  red teams have started moving on to C-Sharp and other .NET tradecraft and Microsoft has started
[04:01.960 --> 04:10.460]  kind of focusing protections elsewhere, PowerShell is still a huge attack vector that's utilized
[04:10.460 --> 04:17.480]  like every day by APTs. CrowdStrike came out with a report in 2019 that said as many as 90%
[04:17.480 --> 04:23.180]  of breaches use PowerShell in some way. Now that doesn't mean that PowerShell is their primary
[04:23.180 --> 04:28.580]  means of operations, or even that it's the majority of what's being done, but it's still
[04:28.580 --> 04:34.440]  used in 90% of breaches according to CrowdStrike. So we still think it's really worthwhile for red
[04:34.440 --> 04:39.800]  teams to emulate threats using PowerShell, because even though all those mitigations
[04:39.800 --> 04:45.400]  do exist for it, we still see many, many organizations that are vulnerable to PowerShell
[04:45.400 --> 04:53.570]  because they don't have those mitigations properly implemented. So what we have here is our team
[04:53.570 --> 04:58.330]  server setup running Empire. We also have multiple Starkiller instances all connected
[04:58.330 --> 05:03.750]  to that team server. That team server is then sitting in a secure location that could be either
[05:03.750 --> 05:10.410]  in the cloud or like one of our offices. There is then a secure line directly into our server,
[05:10.410 --> 05:15.510]  our cloud server. In this case, it's AWS. That cloud server is then going to reach out to all
[05:15.510 --> 05:19.910]  of our redirectors. We have these multiple redirectors up in case one of them gets burned,
[05:19.910 --> 05:24.870]  that way if it does happen, we don't lose our entire infrastructure. Why we do this is this
[05:24.870 --> 05:29.870]  setup allows us to rebuild certain parts of our infrastructure very easily, so we don't lose
[05:29.870 --> 05:37.270]  critical pieces. Yeah, and then just another advantage of setting up our infrastructure this
[05:37.270 --> 05:44.730]  way is it allows us to really lock down our Empire server on top of using like reverse port forwarding
[05:44.730 --> 05:50.970]  to connect to the AWS server so that the Empire server can't be accessed directly from external
[05:50.970 --> 05:56.730]  our network. We can also lock down it down internally because we can basically lock
[05:56.730 --> 06:02.690]  everything down except for the Starkiller ports. And that way, if our network is compromised,
[06:02.690 --> 06:09.190]  it limits the ability for an attacker to access the Empire server, and more importantly, access
[06:09.190 --> 06:13.550]  the customer data that we're going to be handling since many times that data is extremely sensitive.
[06:14.270 --> 06:20.870]  So really, the main two goals for Starkiller for us is one, we want to make our workflows
[06:20.870 --> 06:26.450]  for red teams to be more efficient. And we do that by eliminating some of the menu options that were
[06:26.450 --> 06:31.170]  in Empire and making them more simplified. Previously in Empire, what you had to do was you
[06:31.170 --> 06:36.190]  had to memorize or go through multiple menus to be able to set up your listeners, your stagers,
[06:36.190 --> 06:41.030]  and your modules. Through Starkiller, what you have now is you have these menus that are
[06:41.030 --> 06:46.170]  pre-populated. Sometimes they have drop-down menus. And this makes workflows much, much easier
[06:46.170 --> 06:53.150]  for teams. The second thing is the team-oriented engagements. With Empire previously, you can only
[06:53.150 --> 06:57.750]  have one person logged in at a time. They're using that command line interface. And if somebody else
[06:57.750 --> 07:02.690]  wanted to do an engagement, you have to stand up a completely separate server. Now with Starkiller,
[07:02.690 --> 07:07.610]  you can have multiple users all using the same team server. They can share credentials. They can
[07:07.610 --> 07:12.670]  share their results from their modules. And they can generate a single report for their entire
[07:12.670 --> 07:20.690]  engagement. Yeah, and then just to add a little more to that, we plan on future growth for this
[07:20.690 --> 07:25.190]  capability as well. But it also provides more oversight for the team lead by giving them a
[07:25.190 --> 07:30.350]  centralized location to see what their operators are doing, what things have been done, as well as
[07:30.350 --> 07:33.970]  when things are ran on individual boxes and that kind of thing. It gives them a centralized location
[07:33.970 --> 07:39.280]  to see all that data and keep an eye on the operation as it's progressing.
[07:42.900 --> 07:48.920]  So setting up Starkiller is fairly simple. When you run Empire, you're going to pass the REST
[07:48.920 --> 07:55.160]  parameter, which tells it to run the REST API. There's a default login and password, which you
[07:55.160 --> 08:02.380]  can change. And then to actually run Starkiller, you can either download the installer for Windows,
[08:02.380 --> 08:10.380]  off of the releases page on GitHub, or there's instructions in the readme to build it from the
[08:10.380 --> 08:19.480]  source. All right, thanks, guys. We're going to demo the features of Starkiller now. So Vince
[08:19.480 --> 08:25.040]  has an instance set up already, back into our personal range, where Empire is already
[08:25.040 --> 08:29.140]  running on a team server. And then we have Starkiller connecting into that.
[08:31.400 --> 08:37.600]  Okay, so this is the Starkiller login page. I'm going to log in using the default username and
[08:37.600 --> 08:43.620]  password. And we're connecting to an Empire instance that we have, that we already have running.
[08:45.460 --> 08:53.780]  When I go to the settings page, we can change our password, we can turn dark mode on and off,
[08:53.780 --> 09:02.080]  we have access to our API token for connecting to the Empire API. This is useful if you want to
[09:02.080 --> 09:07.120]  interact with the Empire API outside of Starkiller, or if you wanted to use some
[09:07.120 --> 09:15.180]  other tool like Deathstar to interact with the Empire API. The next piece is the user
[09:15.180 --> 09:21.040]  management page. So on this page, we get a list of all the users that have an account for Starkiller.
[09:21.040 --> 09:27.120]  We can see when they when they last logged in, and we're able to enable and disable those users.
[09:27.960 --> 09:32.380]  I'm going to go ahead and create a user account for myself
[09:34.440 --> 09:43.090]  with the password of password. And we can see that I now have an account.
[09:46.600 --> 09:52.980]  So the next thing is the modules list page. So this page gives you a list of all of the modules
[09:52.980 --> 09:59.840]  that we have access to in our instance of Empire. And using the search box, we can search down by
[09:59.840 --> 10:06.840]  the name of the module, we can search down by the MITRE attack techniques, and also
[10:07.740 --> 10:14.320]  the descriptions of the modules. So here I'm going to filter down by a MITRE attack technique,
[10:14.320 --> 10:20.480]  and I get the two modules that are in this technique. And if I click into it,
[10:20.480 --> 10:26.000]  it'll bring us to the web page for that MITRE attack technique so that we can
[10:26.480 --> 10:34.950]  get more information about it. And then here, if we expand an individual module,
[10:35.330 --> 10:40.710]  we can get the author information, we can get the description about that module,
[10:40.710 --> 10:46.310]  and then often the comments will have a link back to the source material for that module.
[10:51.380 --> 10:56.860]  Okay, so this is the listeners list page. And here we can see all the listeners that have
[10:56.860 --> 11:04.160]  already been created in Empire. So let's go ahead and create another one. We're going to choose a
[11:04.160 --> 11:11.480]  type. And then once we choose that type, we get the form pre-filled out with all the defaults.
[11:11.480 --> 11:18.340]  And we're going to go ahead and just update this so it doesn't overlap with the previously created.
[11:18.340 --> 11:24.720]  And any optional fields are just in this expandable context here.
[11:25.420 --> 11:28.940]  I'm going to submit, and that listener has been created.
[11:30.480 --> 11:37.360]  The next page is the stagers page. Stagers are the initial payload that we send to the agent
[11:38.020 --> 11:42.380]  to initiate the connection back to our C2 server. So you can see that we already have
[11:42.480 --> 11:46.700]  a couple of stagers created here. I'm going to go ahead and generate a couple more.
[11:47.620 --> 11:53.720]  So the first one that I'm going to create is a multi-launcher. And we're going to have it
[11:53.720 --> 11:58.580]  connect to the listener that I just created. And we're going to keep the rest of the settings the
[11:58.580 --> 12:04.920]  same. Up here, I can expand the information box, and that'll give us some more info about the
[12:04.920 --> 12:21.280]  stager. Okay, so that one's been created. Now I'm going to create one more. This one is going to be
[12:21.280 --> 12:28.100]  downloadable DLL. And again, I'm going to choose the listener that we just created.
[12:28.120 --> 12:35.460]  I'm going to hit submit. Okay, so now that we've created those two stagers, we can see
[12:36.160 --> 12:41.700]  some information about it, which listener it connects back to, the language, and when it was
[12:41.700 --> 12:47.800]  created. And then over here, we have the ability to copy or download. So this first one that we
[12:47.800 --> 12:53.800]  generated, multi-launcher, has a little paperclip icon. And when you click that, it copies it to the
[12:53.800 --> 12:59.820]  clipboard, because this is like a one-liner that you can then paste into a command prompt or your
[12:59.820 --> 13:07.520]  PowerShell window. And the second one here has a download icon, because it's a file. And you can
[13:07.520 --> 13:12.060]  download this file and then get that to your target, however you need to get it to them.
[13:13.340 --> 13:20.960]  Yeah, and something that's really nice about this over Empire is that our stagers remain persistent,
[13:20.960 --> 13:27.280]  not only for when we change between menus, but also if you log out of StarKiller and then log
[13:27.280 --> 13:33.860]  back in, your agents will still be there. Because in Empire, especially when we create one-liners,
[13:33.860 --> 13:37.980]  as soon as we move to another menu, it's gone. And we have to regenerate it and then cut and
[13:37.980 --> 13:42.360]  paste it and save it and all those things, whereas StarKiller just keeps it all in one
[13:42.360 --> 13:47.800]  place for us and saves it between sessions and all that kind of stuff, which is just
[13:47.800 --> 13:51.900]  significantly more convenient than operating directly in Empire.
[13:54.080 --> 14:00.940]  Okay, so now that we've sent those stagers out, we've gotten some callbacks into our Empire
[14:00.940 --> 14:07.620]  server. And so that brings us to the agents list. And here we can see all of the agents that have
[14:07.620 --> 14:14.220]  back to us. We can see the last time they checked in. We can see the username of the account that
[14:14.220 --> 14:20.320]  we're connected to. And if we click into it, that brings us to probably the screen that you'll spend
[14:20.320 --> 14:25.360]  the most time in when you're using StarKiller, which is the agent interaction screen. And this
[14:25.360 --> 14:28.920]  is where I'm going to hand it off to Quinn to talk about interacting with agents.
[14:29.960 --> 14:34.920]  So we have here is our agent screen, as Vince talked about before. This allows us to do our
[14:34.920 --> 14:40.800]  shell commands as well as execute modules. There's a couple of nice features here. All we can see at
[14:40.800 --> 14:45.860]  the bottom is Hubble actually just ran something. This interface allows multiple users to interact
[14:45.860 --> 14:49.960]  with the same agent. And every command that you run is going to be tagged with the username that
[14:49.960 --> 14:56.340]  you have associated with yourself. So for example, I ran earlier, I set my beacon to be delay zero,
[14:56.340 --> 15:01.120]  and I ran that command under my Empire admin account. While Hubble ran, who am I? And then
[15:01.120 --> 15:07.140]  got his results back. I can also go in here and I can go to shell commands. I can type in ps,
[15:07.140 --> 15:11.940]  just like I would in Empire, to get my process list. It's now going to run that. It puts it in
[15:12.080 --> 15:16.620]  a queue. All commands are set into a queue, regardless of who sends it, and it'll execute
[15:16.620 --> 15:22.060]  that queue throughout and then drop all the results in the screen. Your results aren't just
[15:22.060 --> 15:25.920]  going to be in the screen. It's also saved in a database that then gets populated on a reports
[15:25.920 --> 15:32.400]  page. So everything everybody does will be aggregated together into one master log. And you
[15:32.400 --> 15:36.800]  can see here, the process list just came back. So you can come in, take a look. I can scroll through
[15:36.800 --> 15:41.540]  and see all the different processes that are running, as well as I can also adjust the size
[15:41.540 --> 15:47.260]  of this screen if I wanted to expand it a little bit as well. Next is the modules. So you have
[15:47.260 --> 15:51.260]  access to all the modules that are inside of Empire. It's nice because you don't have to
[15:51.260 --> 15:55.100]  navigate all the menus. You can actually come in here and just type in exactly what you want to run.
[15:55.920 --> 16:01.380]  I can type in Mimikatz. In this case, we're actually going to run Sherlock. I come in, select
[16:01.380 --> 16:05.180]  Sherlock, which is a nice little tool that'll allow me to look at some privilege escalation
[16:05.180 --> 16:11.380]  opportunities. We still have access to those MITRE ATT&CK techniques from before, so I can click on
[16:11.380 --> 16:17.300]  those, as well as a description and information about the module I want to run. So once I hit
[16:17.300 --> 16:23.980]  submit, it's going to run that module. It's going to queue it up, and then we'll get the results,
[16:23.980 --> 16:28.720]  and we can see that later in the reporting function. Next, we're going to go over into
[16:28.720 --> 16:33.740]  an elevated process agent. That way, we can show off another feature. So now I can come in here.
[16:33.740 --> 16:38.420]  Now that I'm in an elevated process, I can go in and run some techniques that maybe I don't have
[16:38.420 --> 16:44.840]  access to under a normal user, such as Mimikatz. So I'm going to go in, pull up Mimikatz. I have
[16:44.840 --> 16:48.840]  all the same interface stuff, as well. I'm going to hit submit there, as well. So now both of those
[16:48.840 --> 16:53.440]  are queued up, and I can see those results later inside of my reporting function.
[16:57.410 --> 17:02.730]  So now we're going to look at the credentials page. And you can see here, we already have a
[17:02.730 --> 17:09.150]  couple entries from running Mimikatz. And so the nice thing about this credentials page is it's
[17:09.150 --> 17:17.670]  central to everybody, all of the team members engaging on this Empire server. So whether I
[17:17.670 --> 17:23.730]  run Mimikatz or Hubble is getting credentials, they're all going to be dumped to this page,
[17:23.730 --> 17:30.430]  and we can all see all of the credentials. And these password hashes are going to be useful to
[17:30.430 --> 17:41.340]  us when we want to try to do lateral movement. Now, the last piece that we want to show you
[17:41.340 --> 17:48.080]  with Starkiller is this reporting interface. It's going to show you, in order of when it ran,
[17:48.080 --> 17:56.720]  when a command was run on an agent, who ran it, and what the response was. So for example,
[17:56.720 --> 18:03.160]  this is the last command that was run. We can see that it was run by Empire Admin, which is me,
[18:03.160 --> 18:10.300]  and we can see the agent that it was run on, and we can see the full output of that command.
[18:10.440 --> 18:16.420]  And now just a side note here, you'll notice this function name is just a random five-character
[18:16.420 --> 18:23.380]  string. That's one of the features that are built into Empire for keyword randomization. So this
[18:23.380 --> 18:29.180]  function name is just a random five-character string. That string is typically known as
[18:29.180 --> 18:37.080]  Mimikatz, and so that randomization just allows us to prevent strings that are known flags from
[18:37.080 --> 18:45.780]  showing up in memory when Empire is being ran. Okay, so now if we expand another one, we can see
[18:45.780 --> 18:54.640]  the output of the ps command in its entirety. And this page is really useful to the operator of the
[18:54.640 --> 19:00.520]  engagement, so that they can get a holistic view of all of the different things that are going on
[19:00.520 --> 19:10.540]  during the engagement. So at the bottom of Starkiller, we have links to the Empire and
[19:10.540 --> 19:17.320]  Starkiller repos. We'd love to get feature requests and bug tickets that we can fix,
[19:17.320 --> 19:19.320]  and we look forward to your feedback.
